Firewalld--02 端口访问/转发、服务访问、源地址管理

leodengzx 2019-12-10

目录

防火墙端口访问/转发、服务访问、源地址管理

1. 防火墙端口访问策略

使用Firewalld允许客户请求的服务器的80/tcp端口,仅临时生效,如添加--permanent重启后则永久生效

1). 临时添加允许放行单个端口

[ ~]# firewall-cmd --add-port=80/tcp
success
[ ~]# firewall-cmd --zone=public --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client ssh
ports: 80/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

2). 临时添加放行多个端口

[ ~]# firewall-cmd --add-port={443/tcp,3306/tcp}
success
[ ~]# firewall-cmd --zone=public --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client ssh
ports: 80/tcp 443/tcp 3306/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

3). 永久添加多个端口,需要添加--permanent,并且需要重载Firewalld

[ ~]# firewall-cmd --add-port={80/tcp,443/tcp} --permanent
success
[ ~]# firewall-cmd --reload
success
[ ~]# firewall-cmd --zone=public --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client
ports: 80/tcp 443/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

4). 通过--list-ports检查端口放行情况

[ ~]# firewall-cmd --list-ports
80/tcp 443/tcp

5). 移除临时添加的端口规则

[ ~]# firewall-cmd --remove-port={80/tcp,443/tcp}
success
[ ~]# firewall-cmd --list-ports
[ ~]# firewall-cmd --zone=public --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[ ~]# firewall-cmd --reload
success
#重启之后又回来了,因为之前设置了永久
[ ~]# firewall-cmd --zone=public --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client
ports: 80/tcp 443/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

2. 防火墙服务访问策略

使用Firewalld允许客户请求服务器的http https协议,仅临时生效,如添加--permanent重启后则永久生效

1). 临时添加允许放行单个服务

[ ~]# firewall-cmd --add-service=http
success
[ ~]# firewall-cmd --zone=public --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client http
ports: 80/tcp 443/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

2). 临时添加放行多个服务

[ ~]# firewall-cmd --add-service={http,https,mysql}
Warning: ALREADY_ENABLED: 'http' already in 'public'
success
[ ~]# firewall-cmd --zone=public --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client http https mysql
ports: 80/tcp 443/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

3). 永久添加多个服务,需要添加--permanent,并且需要重Fiirewalld

[ ~]# firewall-cmd --add-service={http,https} --permanent
success
[ ~]# firewall-cmd --reload
success
[ ~]# firewall-cmd --zone=public --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client http https
ports: 80/tcp 443/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

4).通过--list-services检查端口放行情况

[ ~]# firewall-cmd --zone=public --list-services
ssh dhcpv6-client http https

5). 移除临时添加的http、https协议

[ ~]# firewall-cmd --remove-service={http,https}
success
[ ~]# firewall-cmd --zone=public --list-services
ssh dhcpv6-client
[ ~]# firewall-cmd --zone=public --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client
ports: 80/tcp 443/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[ ~]# firewall-cmd --reload
success
#重启之后,设置又回来了
[ ~]# firewall-cmd --zone=public --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client http https
ports: 80/tcp 443/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

#永久移除
[ ~]# firewall-cmd --remove-service={http,https} --permanent
success
[ ~]# firewall-cmd --reload
success
[ ~]# firewall-cmd --zone=public --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client
ports: 80/tcp 443/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

6).如何添加一个自定义端口,转其为对应的服务

#1.拷贝相应的xml文件
[ ~]# cd /usr/lib/firewalld/services/
[ /usr/lib/firewalld/services]# cp http.xml test.xml
#2.修改端口为11211
[ /usr/lib/firewalld/services]# cat test.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>WWW (test)</short>
<description>test is the protocol used to serve Web pages. If you plan to make your Web server publicly available, enable this option. This option is not required for viewing pages locally or developing Web pages.</description>
<port protocol="tcp" port="11211"/>
</service>

#3.防火墙增加规则
[ ~]# firewall-cmd --permanent --add-service=test
success
[ ~]# firewall-cmd --reload
success
[ ~]# firewall-cmd --list-services
ssh dhcpv6-client test

#4.安装memcached, 并监听11211端口
[ ~]# systemctl start memcached
[ ~]# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:11211 0.0.0.0:* LISTEN 9911/memcached

#5.测试验证
[C:\~]$ telnet 10.0.0.6 11211
Connecting to 10.0.0.6:11211...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.

3.防火墙接口管理

#查看接口在哪个zone下面

[ ~]# firewall-cmd   --get-zone-of-interface=eth0
public
[ ~]# firewall-cmd   --get-zone-of-interface=eth1
public

#移除eth1接口
[ ~]# firewall-cmd  --remove-interface=eth1
success

[ ~]# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: ssh dhcpv6-client
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

#添加一个接口
[ ~]# firewall-cmd   --add-interface=eth0
success
[ ~]# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: ssh dhcpv6-client
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
    
[ ~]# firewall-cmd --get-zone-of-interface=eth1
no zone

#将接口跟zone进行相关联
[ ~]# firewall-cmd  --change-interface=eth0   --zone=public
success
[ ~]# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: ssh dhcpv6-client
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

4.防火墙源地址管理

#禁用一个ip地址的所有访问

[ ~]# firewall-cmd   --add-source=10.0.0.8/32   --zone=drop
success

[ ~]# firewall-cmd  --get-active-zone
drop
  sources: 10.0.0.8/32
public
  interfaces: eth0

#禁用一个网段

[ ~]# firewall-cmd  --add-source=10.0.0.0/24  --zone=drop
success

[ ~]# firewall-cmd  --get-active-zone
drop
  sources: 10.0.0.8/32 10.0.0.0/24
public
  interfaces: eth0
  
#允许一个ip地址访问所有

[ ~]# firewall-cmd   --add-source=10.0.0.8/32  --zone=trusted
success
[ ~]# firewall-cmd   --get-active-zone
public
  interfaces: eth0
trusted
  sources: 10.0.0.8/32

#移除ip地址

[ ~]# firewall-cmd  --remove-source=10.0.0.8/32  --zone=trusted
success
[ ~]# firewall-cmd   --get-active-zone
public
  interfaces: eth0

5. 防火墙端口转发策略

端口转发是指传统的目标地址映射,实现外网访问内网资源,流量转发命令格式为:

firewall-cmd --permanent --zone=<区域> --add-forward-port=port=<源端口号>:proto=<协议>:toport=<目标端口号>:toaddr=<目标IP地址>

如果需要将本地的10.0.0.61:5555端口转发至后端172.16.1.9:22端口
Firewalld--02   端口访问/转发、服务访问、源地址管理

1. 开启masquerade,实现地址转换
[ ~]# firewall-cmd --add-masquerade --permanent
success

2. 配置转发规则
[ ~]# firewall-cmd --permanent --zone=public --add-forward-port=port=5555:proto=tcp:toport=22:toaddr=10.0.0.7
success
[ ~]# firewall-cmd --reload
success

3. 验证测试
[C:\~]$ ssh  5555

Connecting to 10.0.0.6:5555...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.


Last failed login: Sun Dec 8 18:59:01 CST 2019 from 10.0.0.100 on ssh:notty
There was 1 failed login attempt since the last successful login.
Last login: Sun Dec 8 17:21:54 2019 from 10.0.0.1
[ ~]# ip a s eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:2a:a7:17 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.7/24 brd 10.0.0.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe2a:a717/64 scope link
valid_lft forever preferred_lft forever

相关推荐